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AMENDMENTS TO THE CLAIMS 



1 1 . (Currently Amended) A policy-based network security management system, the 

2 system comprising: 

3 a security management controller comprising one or more processors; 

4 a computer-readable medium carrying one or more sequences of instructions for 

5 policy-based network security management, wherein execution of the one or 

6 more sequences of instructions by the one or more processors causes the one 

7 or more processors to perform the steps of: 

8 receiving a set of data regarding a user of a networ k, wherein the set of data is 

9 a first set of data that is collected over a first duration of time : 

10 receiving a second set of data that is collected over a second duration of time. 

11 wherein the first duration of time is shorter than the second duration of 

12 time: 

13 assessing a risk level of the user harming the network based on the second set 

14 of data, wherein the second duration of time is sufficient to collect 

15 historical data regarding past malicious activities of the user: 

16 assessing a current alert level based on the first set of data, wherein the first 

17 duration of time is of a length appropriate for assessing current 

18 activities of the user: 

1 9 automatically deciding on a course of action based on th e s e t of data at least 

20 one of the risk level and the current alert level, wherein the course of 

2 1 action may be adverse to the iiser although the s e t of data current alert 

22 level is insufficient to establish whether the user is performing a 

23 malicious action; and 

24 sending signals to one or more network elements in the network to implement 

25 the d e cision course of action . 

1 2. (Original) The system of Claim 1, wherein the set of data includes at least one or 

2 more alerts related to the user. 
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1 3. (Original) The system of Claim 1, wherein the signals include multiple alerts 

2 generated by multiple users; and the system further comprising sequences of 

3 instructions for correlating the multiple alerts to the multiple users. 

1 4. (Canceled) 

1 5. (Canceled) 

1 6. (Currently Amended) The system of Claim 1 bf-S, further comprising sequences of 

2 instructions for performing the steps of: 

3 receiving signals related to an extemal source including at least an alert assessment 

4 relevant to the network as a whole; and 

5 creating and storing a current alert level value based on the alert assessment. 

1 7. (Original) The system of Claim 1 , further comprising sequences of instructions 

2 for performing the steps of: 

3 receiving signals carrying performance information related to a health level of the 

4 network; and 

5 determining the course of action based at least in part on the set of data and the 

6 performance information. 

1 8. (Original) The system of Claim 1 further comprising: 

2 a plurality of routers for routing information sent by users and servers to a variety of 

3 destinations; 

4 a subscriber management system for managing a network; 

5 a controller for executing the sequences of instructions; 

6 a network element for generating input for the set of data; and 

7 sequences of instructions for sending signals to the network elements. 
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1 9. (Currently Amended) A computer-readable tangible storage medium carrying one or 

2 more sequences of instructions for providing policy-based network security 

3 management, wherein execution of the one or more sequences of instructions by one 

4 or more processors causes the one or more processors to perform the steps of: 

5 receiving signals carrying network performance information regarding health of a 

6 network and resource performance information regarding health of resources 

7 used by [[a]] tiie network; 

8 assessing a health level based on the network performance information and the 

9 resource performance information; and 

10 sending signals carrying information affecting use of the network based on at least the 

1 1 health level. 

1 10. (Currently Amended) A computer-readable medium as recited in Claim 9, further 

2 comprising the steps of: 

3 receiving signals related to one or more alerts; 

4 associating with the a user at least the one or more alerts within a current alert dataset 

5 that establishes a current alert level for the user. 

1 11. (Original) A computer-readable medium as recited in Claim 9, further comprising 

2 the step of establishing a user alert. 

1 12. (Original) A computer-readable medium as recited in Claim 9, further comprising 

2 the steps of: 

3 receiving signals related to one or more alerts; 

4 associating with a user at least the one or more alerts within a historical dataset of 

5 alert related information that establishes a user risk level for the user. 

1 13. (Currently Amended) A computer-readable medium as recited in Claim 9, wherein 

2 the step of sending signals further comprises the steps of: 
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3 deciding on a course of action based on at least a user risk level, a current alert level, 

4 and the health level, Md 

5 wherein the information affecting the use of the network bas e d on at leaGt th e h e alth 

6 level is based on at least the course of action and is based on the health level 

7 as a result of being bas e d on the coiuse of action . 

1 14. (Currently Amended) A computer-readable medium as recited in Claim 40 13, 

2 wherein the deciding step includes at least; 

3 determining a us e r risk stat e from a the user risk level[[,]] and determining a curr e nt 

4 al e rt stat e from a the current alert level, and det e rmining a h e alth state from 

5 tho h e alth l e v e l; and 

6 wherein the information affecting the use of the network is based on at l e ast th e 

7 health l e v e l as a r e sult of b e ing is bas e d on at least the user risk state level, 

8 the current alert state level and the health state level 

1 15. (Currently Amended) A policy-based network security management system, the 

2 system comprising: 

3 a security management controller comprising one or more processors; and 

4 the computer-readable medium of Claim 9. 

1 1 6. (Currently Amended) A method of providing policy-based network security 

2 management, comprising the steps of: 

3 receiving a set of data regarding a user of a network , wherein the set of data is a first 

4 set of data that is collected over a first duration of time : 

5 receiving a second set of data that is collected over a second duration of time, wherein 

6 the first duration of time is shorter than the second duration of time: 

7 assessing a risk level of the user harming the network based on the second set of data. 

8 wherein the second duration of time is sufficient to collect historical data 

9 regarding past malicious activities of the user: 

10 assessing a current alert level based on the first set of data, wherein the first duration 

11 of time is of a length appropriate for assessing current activities of the user: 
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1 2 automatically deciding on a course of action based on th e s e t of data at least one of 

1 3 the risk level and the current alert level , wherein the course of action may be 

14 adverse to the user although the s e t of data current alert level is insufficient to 

1 5 establish whether the user is performing a malicious action; and 

16 sending signals to one or more network elements in the network to implement the 

17 d e cision course of action . 

1 1 7. (Original) The method of Claim 1 6 wherein the set of data includes at least one 

2 or more alerts related to the user. 

1 18. (Original) The method of Claim 16, wherein the signals include multiple alerts 

2 generated by multiple users, and the method further comprises correlating the 

3 multiple alerts to the multiple users. 

1 19. (Canceled) 

1 20. (Canceled) 

1 21. (Currently Amended) The method of Claim W 16 further comprising receiving 

2 signals related to an extemal source including an alert assessment relevant to the 

3 network as a whole, wherein the current alert level is also based on the alert 

4 assessment. 

1 22. (Original) The method of Claim 16 further comprising receiving signals carrying 

2 performance information related to a health level of the network, wherein the course 

3 of action is based on the set of data and the performance information. 

1 23. (Currently Amended) A method of policy-based network security management, 

2 comprising the computer-implemented steps of: 

3 receiving one or more signals carrying network performance information regarding 

4 health of one or more network devices in a network, and resource 
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5 performance information regarding health of one or more resources used by 

6 the network; 

7 assessing an overall network health level based on the network performance 

8 information and the resource performance information ; and 

9 sending signals carrying information affecting use of the network based on the overall 
1 0 network health level. 

1 24. (Original) The method of Claim 23 further comprising: 

2 receiving signals related to one or more alerts; 

3 including at least the one or more alerts within a historical dataset of alert related 

4 information that establishes a user risk level for a user; and 

5 including at least the one or more alerts within a current alert dataset that estabUshes a 

6 current alert level. 

1 25. (Original) The method of Claim 23, wherein the sending step further comprising 

2 the steps of: 

3 deciding on a course of action based on at least a user risk level, a current alert level, 

4 and the overall network health level, and 

5 the information affecting the use of the network includes at least information for 

6 carrying out the course of action. 

1 26. (Currently Amended) The method of Claim 2^ 25, wherein the deciding step 

2 includes at least the steps of: 

3 determining a us e r risk state from a the user risk level; 

4 determining a curr e nt al e rt stat e from a the current alert level; and 

5 determining a h e alth state from the overall network health level; and 

6 wherein the information affecting the use of the network is based on at least the 

7 health l e vel as a r e sult of b e ing bas e d on at least the user risk state level 

8 the current alert state level and the overall network health state level 



1 27. (Currently Amended) A method of policy-based network security management, 

2 comprising the computer-implemented steps of: 
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3 collecting network performance statistics related to an overall health of a network 

4 and individual performance statistics of one or more individual units of the 

5 network, the collecting being performed by a performance management 

6 system; 

7 sending the network performance statistics to a controller for analysis; 

8 computing an overall health state from a health l e v e l based on the network 

9 performance statistics and the individual performance statistics, using the 

10 controller; 

1 1 reading extemal alert data from an extemal alert source, using the controller; 

12 collecting security event data from the network; 

13 sending the security event data to a fault management system; 

14 using the fault management system for checking for duplications in the security 

15 event data, and deduplicating duplicate security events in the security 

16 event data; 

17 calculating an alert state from an al e rt level based on the security event data from 

1 8 the fault management system and the extemal alert data; 

19 obtaining user information from a subscriber management system; 

20 correlating the security event data from the fault management system with the 

2 1 subscrib e r user information to form correlated security event data; 

22 reading extemal user risk data from an extemal user risk source into the 

23 controller; 

24 calculating a user risk state from a us e r risk lev e l based on the correlated security 

25 event data and from the extemal user risk data, using the controller; 

26 calculating a decision regarding whether to take corrective action based on the 

27 overall health state, the alert state, and the user risk state, using the 

28 controller; 

29 sending the decision from the controller to the subscriber management system; 

30 and 

3 1 sending directives, related to the decision, from the subscriber management 

32 system to the network. 

1 28. (Currently Amended) A system comprising: 
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2 a fault management[[s]] system fer ttiat receiv[[ing]]es network security data and 

3 deduplicat[[ing]]es duplicate indications of security events in the network 

4 security data to form deduplicated security event information data; 

5 a subscriber management system for that manag[[ing]]es subscribers using a network, 

6 wherein the subscriber management system having user stores subscriber 

7 information data about individual users and being is capable of sending 

8 directives to the individual users based on a decision to take corrective action 

9 toward the individual users; 

10 wherein the deduplicated n e twork security event data from the fault management 

1 1 system is correlated to the subscriber information to form correlated network 

12 security data; 

13 a performance management system fe? that receiv[[ing]]es overall performance data 

14 related to an overall health of [[a]] the network and individual performance 

15 data related to a health of one or more individual units of the network; and 

16 a controller for that: 

17 receiv[[ing]]es extemal alert data from an extemal alert source, extemal user 

1 8 risk data from an extemal user risk source, the deduplicated n e twork 

1 9 security event informaticm data, the correlated network security 

20 informatics data, the overall performance data, and the individual 

2 1 performance data^-afid; 

22 comput[[ing]]es an alert state from an al e rt l e v e l based on at least the extemal 

23 alert data and the deduplicated network security event data, a user risk 

24 state from based on at least the extemal user risk data and a user risk 

25 lev e l bas e d on the correlated network security e v e nt data, and a health 

26 state from a h e alth l e v e l based on at least the overall performance data 

27 and the individual performance datarand; 

28 makes t he decision whether to take corrective action based on at least the alert 

29 state, the user risk state, and the health state[[,]]; and 

30 caus[[ing]]es directives that implement the decision to be sent to the network. 
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1 29. (New) An apparatus for providing policy-based network security management, 

2 comprising: 

3 means for receiving a set of data regarding a user of a network, wherein the set of 

4 data is a first set of data that is collected over a first duration of time; 

5 means for receiving a second set of data that is collected over a second duration of 

6 time, wherein the first duration of time is shorter than the second duration of 

7 time; 

8 means for assessing a risk level of the user harming the network based on the second 

9 set of data, wherein the second duration of time is sufficient to collect 

10 historical data regarding past malicious activities of the user; 

1 1 means for assessing a current alert level based on the first set of data, wherein the first 

12 duration of time is of a length appropriate for assessing current activities of 

13 the user; 

14 means for automatically deciding on a course of action based on at least one of the 

15 risk level and the current alert level, wherein the coxu-se of action may be 

16 adverse to the user although the current alert level is insufficient to establish 

17 whether the user is performing a malicious action; and 

18 means for sending signals to one or more network elements in the network to 

19 implement the course of action. 

1 30. (New) An apparatus for providing poUcy-based network security management, 

2 comprising: 

3 means for receiving signals carrying network performance information regarding 

4 health of a network and resource performance information regarding health of 

5 resources used by the network; 

6 means for assessing a health level based on the network performance information and 

7 the resource performance information; and 

8 means for sending signals carrying information affecting use of the network based on 

9 at least the health level. 
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